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WHAT IS CLAIMED IS: 



1 1. A graphical user interface for configuring a new 

2 service detection process, the graphical user interface 

3 comprising: 

4 a first field that depicts choices for entities to 

5 track in the network; 

6 a second field that allows a system to track if the 

7 selected entity is providing or consuming a service; 

8 a third field that depicts a range over which to track 

9 an entity selected in the first field; and 

10 an fourth field to specify a severity for an alert 

11 generated if a new service is detected. 

1 2. The graphical user interface of claim 1 wherein 

2 the fields are linguistically tied together on the 

3 interface to form a sentence that corresponds to a rule. 

1 3, The graphical user interface of claim 1 further 

2 comprising: 

3 a list of new service detection rules stored in the 

4 detection system. 

1 4. The graphical user interface of claim 1 wherein 

2 the first field allows a user to specify entity to track as 

3 "a specific host", "any host in a specific role", "any host 

4 in a specific segment" or "any host." 

1 5. The graphical user interface of claim 1 wherein 

2 the third field specifies details for the extent of the 

3 comparison for the entity specified in the first field as 

4 "host", "in its role", "in its segment" or "anywhere" in 

5 the network. 
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1 6. The graphical user interface of claim 1 wherein 

2 event severity is a numerical value entered by the user. 

1 7. The graphical user interface of claim 1 wherein 

2 the fields are implemented a pull-down fields. 

1 8 . A method for detection of a new service involving 

2 an entity, the method comprises: 

3 retrieving a baseline list of port protocols used by a 

4 entity being tracked, the baseline value determined over a 

5 baseline period; 

6 retrieving a current list of port protocols for the 

7 entity being tracked; and 

8 determining whether there is a difference in the port 

9 protocols, by having a protocol that was in a current list 

10 but was not in the baseline list; and if there is a 

11 difference; 

12 indicating a new service involving the tracked entity. 

1 9. The method of claim 8 further comprising: 

2 determining if the entity is providing or using the 

3 new service. 

1 10. The method of claim 9 further comprising: 

2 determining whether a rule specified to issue an alert 

3 if the entity is providing or using the new service; and 

4 determining if the entity is providing or using the 

5 new service; and both determining actions match 

6 issuing the alert. 

1 11. The method of claim 9 further comprising: 
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2 retrieving a value corresponding to the alert severity 

3 level set for violation of the rule. 

1 12. The method of claim 8 wherein the entity is at 

2 least one of a specific host, any host in a specific role, 

3 any host in a specific segment, or any host. 

1 13. The method of claim 8 wherein the extent of the 

2 comparison is configured to for that host, in its role, in 

3 its segment or anywhere in the network. 

1 14. The method of claim 8 wherein the baseline and 

2 current lists of protocols are provided from data in a 

3 connection table. 

1 15. A computer program product residing on a computer 

2 readable medium for detection of new services in a network, 

3 the computer program product comprising instructions for 

4 causing a computer to: 

5 retrieve a baseline list of port protocols used by a 

6 entity being tracked, the baseline value determined over a 

7 baseline period; 

8 retrieve a current list of port protocols for the 

9 entity being tracked; and 

10 determine whether there is a difference in the port 

11 protocols, by having a protocol that was in a current list 

12 but was not in the baseline list; and if there is a 

13 difference; 

14 indicate a new service involving the tracked entity. 

1 16. The computer program product of claim 15 further 

2 comprising instructions to: 
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3 determine if the entity is providing or using the new 

4 service. 

1 17. The computer program product of claim 15 further 

2 comprising instructions to: 

3 determine whether a rule specifies to issue an alert 

4 if the entity is providing or using the new service; and 

5 issue the alert if the rule is violated. 

1 18. The computer program product of claim 15 wherein 

2 instructions to indicate further comprise instructions to: 

3 issue an alert if the new service is detected. 

1 19. The computer program product of claim 15 further 

2 comprising instructions to: 

3 retrieve a value corresponding to the alert severity 

4 level set for violation of the rule. 

1 20. The computer program product of claim 15 wherein 

2 the entity is at least one of a specific host, any host in 

3 a specific role, any host in a specific segment, or any 

4 host. 

1 21. The computer program product of claim 15 wherein 

2 the extent of the comparison is configured to for that 

3 host, in its role, in its segment or anywhere in the 

4 network. 

1 22. The computer program product of claim 15 further 

2 comprising instructions to: 

3 access a connection table to provide data for the 

4 baseline and current lists of protocols. 
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